Side-channel vulnerability in libgcrypt - the Marvin Attack

Hubert Kario hkario at
Fri Mar 22 13:24:41 CET 2024

On Friday, 22 March 2024 00:51:06 CET, NIIBE Yutaka wrote:
> Hello,
> And... yes, it's true that it's hard for programming to estimate
> worst-case running time, it's also hard to guarantee constant-time
> running time, in a given situation of programming environment and
> hardware architecture.

OpenSSL, BoringSSL (they have different code for RSA than OpenSSL now),
Go, NSS, GnuTLS, Apple corecrypto, and WolfSSL were all able to do this
operation in constant time in software, and those are only the ones
that I have directly seen the evidence that the fixes were successful,
so while it may not be simple, it's clearly not impossible.
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

More information about the Gcrypt-devel mailing list